From dc698ec6f10488a82ee0bd96ad9af7b68c98e6d2 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 14 May 2019 16:56:14 +0200
Subject: [PATCH 2/2] views: validates logout next URL (#33087)

---
 src/authentic2/views.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/authentic2/views.py b/src/authentic2/views.py
index c7bee83c..cb3452e9 100644
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@@ -529,9 +529,6 @@ def redirect_logout_list(request):
 
 def logout(request,
            next_url=None,
-           default_next_url='auth_homepage',
-           redirect_field_name=REDIRECT_FIELD_NAME,
-           template='authentic2/logout.html',
            do_local=True,
            check_referer=True):
     '''Logout first check if a logout request is authorized, i.e.
@@ -541,12 +538,13 @@ def logout(request,
        Logout endpoints of IdP module must re-user the view by setting
        check_referer and do_local to False.
     '''
-    default_next_url = utils.make_url(default_next_url)
-    next_url = next_url or request.GET.get(redirect_field_name, default_next_url)
+    next_url = next_url or utils.select_next_url(request, settings.LOGIN_REDIRECT_URL)
+
     ctx = {}
     ctx['next_url'] = next_url
     ctx['redir_timeout'] = 60
     local_logout_done = False
+
     if request.user.is_authenticated():
         if check_referer and not utils.check_referer(request):
             return render(request, 'authentic2/logout_confirm.html', ctx)
@@ -561,7 +559,7 @@ def logout(request,
                 ctx['next_url'] = next_url
                 ctx['logout_list'] = fragments
                 ctx['message'] = _('Logging out from all your services')
-                return render(request, template, ctx)
+                return render(request, 'authentic2/logout.html', ctx)
         # Get redirection targets for full logout with redirections
         # (needed before local logout)
         targets = redirect_logout_list(request)
@@ -583,7 +581,7 @@ def logout(request,
         next_url = targets.pop(0)
         request.session['logout_redirections'] = targets
     logger.debug('Next redirection : {}'.format(next_url))
-    response = utils.redirect(request, next_url)
+    response = shortcuts.redirect(next_url)
     if local_logout_done:
         response.set_cookie('a2_just_logged_out', 1, max_age=60)
         messages.info(request, _('You have been logged out'))
-- 
2.20.1